SETTLEMENT OVERVIEWDocumented Losses and Time
If you have documentation establishing that you suffered out-of-pocket losses, unreimbursed charges, or time spent remedying issues relating to the Home Depot data breach, you can make a claim for reimbursement up to $10,000, including up to 5 hours of documented time at $15 per hour. If you have documented out-of-pocket losses or unreimbursed charges, you will be eligible to self-certify your time spent remedying issues relating to the data breach at $15 per hour for up to 2 hours.

Monitoring Services
If you used a credit or debit card at a self-checkout lane at a U.S. Home Depot store between April 10, 2014 and September 13, 2014, and your payment card information was compromised, you are eligible to enroll in 18 months of free Identity Guard® Essentials identity monitoring services, regardless of whether you are eligible to submit a claim for documented losses or time. You may make a claim for documented losses or time and also enroll in monitoring services.

Leonard Law Office, PC is representing Massachusetts consumers in an active class action lawsuit against Home Depot. The complaint alleges:

A nationwide breach in Home Depot’s point-of-sale retail credit/debit card processing network and computer system and/or “cardholder data environment” compromised personal and financial data (the “Personal Information”) connected to about 56 million Home Depot customers’ credit and debit card accounts. The breach, which began in April 2014 and ended on or about September 8, 2014, was the second largest retail payment card data breach in U.S. history. Home Depot is the world’s largest home improvement retailer.

As a result of the breach, millions of customers who shopped at a Home Depot “brick and mortar” store anywhere in the United States between April 1, 2014 and September 8, 2014 and paid by credit or debit card, had their personal and financial information breached. Many of these customers have already reported unauthorized charges to their accounts, and many more such unauthorized transactions are expected in the coming weeks and months.

Home Depot failed to live up to its duty to protect customers’ private financial information, although its own employees warned the company of known weaknesses in its cardholder data environment as early as 2008[1]

A massive breach of a retailer’s cardholder data environment and wide scale release of Personal Information, such as the one that affected Home Depot during some of the busiest home improvement shopping days of the year, would not have occurred absent the retailer’s failure to comply with these and dozens of other Data Security Standards.

Home Depot failed to exercise the care it owes to Plaintiffs and the other Class members – namely, safeguarding its cardholder data environment and securing their Personal Information.

News of the widespread data breach was first published by Brian Krebs, a data security expert. Brian Krebs’ computer security blog is a “top source for investigative reporting on cybercrime and Internet security.”[1] On September 2, 2014 Krebs posted: “Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground.”[2]

After Krebs broke the story, a flood of national mainstream media reports followed. By September 18, 2014, Home Depot’s data breach was fully exposed by all of the major news outlets.

The Wall Street Journal Reported:”…56 million cards may have been compromised in a five-month attack on its payment terminals, making the breach much bigger than the holiday attack at Target Corp.”[3]

Reuters Reported: “Wesley McGrew, an expert of retail breaches who is an assistant research professor at the department of computer science at Mississippi State University, said that Home Depot is going to be expected to bear the costs related to fraud and payment card replacement…Criminals have frequently used software that evades detection, but retailers are expected to closely monitor their networks using tools that are designed to uncover signs of a crime in progress, McGrew said…It’s hard to feel sorry for them when there are things they could have done to improve the security of these transactions.”[4]

The Boston Globe Reported: “Home Depot might have also benefited in the timing in another way— the disclosure came in September, months after the spring season, which is the busiest time of year for home-improvement chains.[5]

Information encoded on the magnetic stripe of cards is known in the industry as “Magnetic Stripe Data” or “Track Data.” The data encoded in the magnetic stripe is for authorization during card-present transactions. Unauthorized possession of this information is dangerous, because having it enables miscreants to combine all of the elements necessary to create usable counterfeit cards. The theft of ‘track data’ enables the creation counterfeit cards encoded with consumers’ information onto “clone cards” with a magnetic stripe. This means that criminals are able to make clones of cards that were swiped at Home Depot stores and use them to make fraudulent “card-present,” or “card-not-present” debit or credit transactions on consumers’ accounts.

What Home Depot’s announcement in the aftermath of the data breach did not disclose is the full scope of risks posed to consumers who shopped at Home Depot during the breach, or Home Depot’s failure to take precautions in time to prevent the breach from occurring in the first place.

Home Depot’s public relations announcement[6] on its website emphasized the steps it undertook to improve security after the breach, but downplayed the actual harm to consumers. In a press release, Home Depot’s CEO stated, “[w]e apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” and “from the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.”

On September 8, 2014, a full six days after Brian Krebs revealed the breach, Home Depot finally released a statement fully confirming that a breach had occurred.

The breach occurred during the busy spring season, a time when consumers historically spend the most on home-improvement goods.

According to the same Internet security researcher that broke the Target data breach story, there is evidence that Home Depot has experienced a massive credit card data breach. It may have started back in April, 2014, and affected nearly every Home Depot in America. If you have shopped at a Home Depot with a credit or debit card in the past six months, you are welcome to contact us immediately. Fake “clone” credit cards have apparently already been made from consumers’ private information obtained during the breach — and are currently being sold by criminals on the Internet.

The Leonard Law Office, P.C. is accepting inquiries from potential Home Depot data breach clients. We are already representing clients in the Target data breach case.

The Home Depot Completes Malware Elimination and Enhanced Encryption of Payment Data in All U.S. Stores * * * Provides Further Investigation Details, Updates Outlook ATLANTA, September 18, 2014 — The Home Depot®, the world’s largest home improvement retailer, today confirmed that the malware used in its recent breach has been eliminated from its U.S. and Canadian networks. The company also has completed a major payment security project that provides enhanced encryption of payment data at point of sale in the company’s U.S. stores, offering significant new protection for customers. Roll-out of enhanced encryption to Canadian stores will be complete by early 2015. Canadian stores are already enabled with EMV “Chip and PIN” technology. The company said its fiscal third quarter sales, including sales in September, are on plan. Additional guidance is provided below. Investigation Details The investigation into a possible breach began on Tuesday morning, September 2, immediately after The Home Depot received reports from its banking partners and law enforcement that criminals may have breached its systems. Since then, the company’s IT security team has been working around the clock with leading IT security firms, its banking partners and the Secret Service to rapidly gather facts, resolve the problem and provide information to customers. The company’s ongoing investigation has determined the following:

Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot’s security partners.

The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards.  The malware is believed to have been present between April and September 2014. To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements. The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.

There is no evidence that debit PIN numbers were compromised or that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com or HomeDepot.ca. The Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on. Customers who wish to take advantage of these services can learn more at http://www.homedepot.com or by calling 1-800-HOMEDEPOT (800-466-3337). Customers in Canada can call 800-668-2266. “We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” said Frank Blake, chairman and CEO. “From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.” Payment Security Enhancements The company’s new payment security protection locks down payment data through enhanced encryption, which takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers. Home Depot’s new encryption technology, provided by Voltage Security, Inc., has been tested and validated by two independent IT security firms. The encryption project was launched in January 2014. The rollout was completed in all U.S. stores on Saturday, September 13, 2014. The rollout to Canadian stores will be completed by early 2015. EMV “Chip and PIN” technology, which began rolling out in early 2013 and already exists in Canadian stores, will be deployed to all U.S. stores by the end of the year, well ahead of a 2015 deadline established by the payments industry. These projects required writing tens of thousands of lines of new software code and deploying nearly 85,000 new pin pads to stores.

Warnings

Important Information for Commenters

DO NOT USE YOUR REAL NAME WHEN LEAVING COMMENTS ON THIS BLOG! If you do so, you understand that it will appear with your comment, and you consent to it appearing on this blog. If you write a comment and would like your comment to be removed, or the name you used changed to a pseudonym (a fictitious name) please send an email to pleonard@theleonardlawoffice.com.

Disclaimer

The material and information contained on this blog is for educational and entertainment purposes only. No representation is made about the accuracy of the information. By using this blog site you understand that this information is not provided in the course of an attorney-client relationship and is not intended to constitute legal advice. Transmission or receipt of information contained in this web site does not create an attorney-client relationship. Furthermore, transmission or receipt of any correspondence will not create an attorney-client relationship between you and any author of this blog. No assurance is given that any correspondence, via e-mail or otherwise, between you and any author will be secure or treated as confidential or privileged. Please do not send any author any confidential or privileged information. This blog site should not be used as a substitute for competent legal advice from a licensed attorney. Should the reader of this blog need legal advice or require an answer to a specific question, such advice be sought from a licensed attorney. This blog is not intended to serve as an advertisement or solicitation of legal or other business of anyone in any state or other jurisdiction where this web site, or the use thereof, may not be in compliance with any law or ethical rule. This blog site may be considered "advertising" under Massachusetts Supreme Judicial Court Rule 3:07. The material contained on this blog represents the personal views of the individual authors or commentators and do not necessarily represent the views of any organization that any authors is affiliated with or with the views of any other author whom might post on this blog.